IPSec VPN through ZBF

Unanswered Question
Aug 23rd, 2010
User Badges:

Hello All,

I am porting the config from a 1841 that had a L2L IPSec VPN setup with a Sonicwall peer. This 1841 had a CBAC firewall on it as well. We are retiring this router and moving the VPN over to a 1941 router with a Zone-based firewall. How do I set up the ZBF to allow this IPSec VPN tunnel? Can I use VTI when connecting to a non-Cisco host (Sonicwall)? Right now there are only two zones setup (inside/outside).


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jitendriya Athavale Mon, 08/23/2010 - 08:03
User Badges:
  • Cisco Employee,

well since you have only 2 zones it makes life much easier , you dont have to worry about permitting esp and isakmp traffic in zbf

now since you have 2 zone have the following configured for ipsec vpn

zone-pair out-in

match acl - remote end network to my end network

action inspect

zone-pair in-out

match acl - my end network to remote end network

action inspect

i would suggest use 15.0 code and later whenever you are implementing zbf it has better support for zbf

Diego Armando C... Mon, 08/23/2010 - 12:11
User Badges:
  • Bronze, 100 points or more

And not configured a self zone. If you do u will have to permit esp and udp 500 basically. You will neet to create 2 zones from Out to Self and another one from selft to Out to PASS  Esp

tjd2112pcca Tue, 08/31/2010 - 11:16
User Badges:

The new router has two interfaces to the internet via two different providers. Can I run CBAC and all the VPN traffic on one public interface and zone-based on the other internal client serving interface? I have read that you can mix CBAC and ZBF together.


This Discussion